How secure is your UPSI as SEBI tightens its reins on Insider Trading?
In September 2021, the Indian Markets Regulator, Security, and Exchanges Board of India (SEBI) banned an employee of an Indian MNC headquartered in Bangalore and his counterpart, an employee of a leading Global information technology company from trading in stock exchanges till further orders.
An impounding of illegal proceeds of 2.62 crore rupees were generated through insider trading activities. This is just an example of insider trading. Both of them had violated the SEBI’s Prohibition of Insider Trading Act 2015 (“PIT Regulations”).
SEBI has actively sought to bring objectivity and consistency in the regulations through substantial amendments in 2018 and 2020. There have been similar such incidents in the recent past where SEBI has levied hefty fines and penalties on enterprises for such violations.
The advent of Covid-19 and the subsequent lockdown has caused significant business disruptions and market volatility globally. This provided a lucrative opportunity for “insiders” who regularly have access to information that is confidential and not public knowledge.
This information when exposed to the public is likely to impact the price of the securities or shares. As remote working turns out to be the “new normal”, the risks pertaining to leakage of sensitive price information have also increased.
What is insider trading?
Insider Trading refers to the direct or indirect trading in the securities of a publicly listed company, by a person who has access to the unpublished, privileged information of such nature that it would be capable of influencing the market price of such company’s securities.
Unpublished Price Sensitive Information (UPSI) is any information that relates to a company or its securities – listed or proposed to be listed, directly or indirectly, that is generally not available to the public, and is kept confidential. Such confidential information includes financial results, dividends, mergers, acquisitions, and such other transactions, change in capital structure, and key managerial personnel. Insider trading depends on when the trade is taking place. It is termed unethical when trading happens when the information is still private, skewing the trade in favor of one party.
SEBI keeps close monitoring to track such insider trading to prevent a few traders from manipulating the market. Since the number of complaints is increasing day by day to SEBI for insider trading matters and the penal consequences are huge, businesses should monitor this compliance very closely.
An overview of the regulation
SEBI issued the Prohibition of Insider Trading (PIT) amendment regulation on July 17, 2020, to further amend the regulation made in 2015. The amended regulation stresses matters related to sharing of UPSI, tracing the flow of such information, creation of induction process of how and when people are brought inside – especially on sensitive transactions, role and responsibility assignment for the Board and Audit committee for maintaining a digital database of information shared with insiders and to review the compliances of codes, and internal control, respectively.
“Regulation 3(5) had stated that security of highly sensitive data, such as UPSI, is the responsibility of an organization’s financial department, and as such, it is under the aegis of the Chief Financial Officer himself”.
The CFO’s skin is in the game. A new sub-regulation 3(6) has been inserted which specifies the handling of price-sensitive database information and the preservation of the database for not less than eight years after completion of the relevant transactions and in the event of receipt of any information from the board regarding any investigation or enforcement proceedings, the relevant information in the digital database shall be preserved till the completion of such proceedings.
The 2020 amendments to the PIT regulations aim at bolstering the level of compliance and mitigating the defects plaguing them. Before the amendment, there was considerable confusion concerning the handling of UPSI by intermediaries.
What do companies need to do in handling UPSI?
Preservation of UPSI is an important duty of the company. To prevent insider trading and to ensure compliance with the requirements given in the SEBI regulations, 2015, the CEO, the Managing Director, Compliance Officer, or such other analogous person of a listed company, intermediary, or fiduciary has to put in place adequate and effective system of internal controls.
Companies’ responsibilities in handling UPSI include the following:
- All employees who have access to UPSI are identified as designated employees and to prevent insider trading. No private person or non-employees, especially family members of the board of directors, should have access to the board meeting
- Educating all insiders about the sensitivity of the information and restricting disclosures on ‘need to know basis’
- Prepare a Code of conduct policy for the preservation of data for the preservation of insider trading and for its designated persons and their immediate relatives
- Amend the Code of Fair Disclosures in Conduct to include a policy for determination of legitimate purposes for sharing UPSI
- Maintenance of structured digital database with details such as person/ entities with whom UPSI is shared
- The Compliance Officer shall close the trading window, at the very first instance at which UPSI may occur. The trading window shall be closed as and when the Compliance Officer shall deem fit and is of view that a Designated Person or class of Designated Persons can reasonably be expected to be in possession of UPSI.
- Adequate restrictions shall be placed on the communication or procurement of UPSI, as required by the SEBI (Prohibition of Insider Trading) Regulations, 2015
- A list of all employees and other persons with whom UPSI is shared shall be maintained and confidentiality agreements shall be signed or notice shall be served to all such employees and persons
- All other relevant requirements specified under the Regulations shall be complied with
- A periodic process review shall be conducted to evaluate the effectiveness of such internal controls
- Companies to initiate appropriate inquiries on becoming leak/ suspected leak of UPSI and inform SEBI
Transparency is key – The new amendment emphasizes the need for companies to set up a mechanism to know how and when various stakeholders are brought ‘in’ and made part of the transactions involving sensitive data. Thus, as per the new mandate, companies should have a system to track the flow of data – where it emerges from and with whom it is shared.
How SECUDE’s HALOCORE addresses SEBI PIT Regulatory Compliance Requirements
SECUDE’s HALOCORE is a unique solution for the protection of sensitive and critical information such as UPSI and other financial data that are exported from SAP. It has a modular structure in order to guarantee effective protection within just a few days of implementation.
Business-critical, confidential data stored in a SAP system is sufficiently protected inside the secure boundaries of the SAP network. It becomes exposed when users extract the information from the SAP systems during collaboration like sharing or reporting.
Every day, unprecedented volumes of data are extracted from a SAP system, increasing the risk of loss and theft. Moreover, legacy data protection solutions have a tough time when it comes to protecting SAP data due to lack of context exclusively available inside the SAP system. Tightly fitting itself between the gaps of challenges and solutions is HALOCORE.
By integrating directly with SAP, HALOCORE protects data with automated classification, blocks unauthorized reports, and helps apply fine-grained access policies before documents exit SAP’s boundaries and reach the user’s system.
This innovative approach allows enterprises to maintain a high level of control and security over sensitive documents extracted from SAP throughout their lifetime, even if these have been shared via email, downloaded to a recipient’s PC, or printed as PDF.
HALOCORE connects the two worlds of SAP and Microsoft. It extends Microsoft’s security templates into SAP to extend data security throughout a data file’s life cycle, wherever it may be or may go.
The different HALOCORE models and how it can secure your confidential data, prevent data loss and become GDPR compliant is given below:
Monitor – Complete transparency over exports of UPSI stored in SAP. Automated implementation of compliance guidelines for SAP data exports with context-based classification. Generation of alerts in case of compliance breaches and closing detection gaps in SAP Access Control (GRC).
Enterprises gain insights into the ‘invisible’ SAP application activities and significantly reduce their IT security risk.
Block – Recognizing and preventing sensitive financial data in SAP from being leaked and used in a manner that is in breach of the rules. Control of unlawful data uses with context-based classification.
Protect– Encrypting data exports with Microsoft Azure Information Protection (AIP/RMS) and sharing these across the company. Integration of completely customizable and safety-related classification features.
With insider trading or the illegal practice of trading on the stock exchange to one’s benefit, because access to sensitive or confidential information is on the rise, SEBI has tightened its reins to protect the investors. Therefore, every company should increase their protection measures so that public sensitive information is not leaked/diluted to anyone except on a need-to-know basis and to the regulatory authorities based on legitimate purposes. Since the penal consequences are huge and it also affects the goodwill of the company, the company should monitor this compliance very closely.
Comments are closed.